The Toronto Star
Thursday, October 23, 1997

How to protect your privacy on the Net

There are no rules, so users must safeguard their security, experts say

by Valerie Lawton

Photo caption:
`Surfer Beware': Many World Wide Web sites can identify information users have downloaded, privacy expert Eugene Oscapella warns. A study says none of the 100 most popular Web sites meets basic privacy standards.
No one will ever know you're surfing the Internet in your pyjamas but little else is a secret once you take to the keyboard.

Electronic eyes are watching.

``Just imagine yourself going into a library and having somebody stand there and look as you pull a book down from the shelf and watching as you turn to a page of the book'', says Eugene Oscapella of the privacy commissioner's office in Ottawa.

``When you visit quite a number of web sites, they can identify the information you've downloaded.''

Privacy experts like Oscapella say there are no rules of the road when it comes to privacy on the Net so it's up to users to know how they're vulnerable.

That means asking questions about security and how data is used before shopping on the Internet. It also means Internet users should be aware where they go and what they say on the Net often isn't private.

Many beginners don't know, for example, that Web browsers contain software that enables files with a harmless-sounding name - cookies - to track your movements during a Web site visit.

Cookies are files that can be loaded into, stored on and retrieved from your computer by Internet sites without your knowledge.

The information can be used to find out what you're interested in. On the plus side, it means the next time you visit, the site can bring up new pages that match what you like to read.

But many people are uncomfortable with the idea of being watched.

The Washington-based Electronic Privacy Information Centre, a leading public interest group, recently checked out the 100 most popular Web sites and concluded not one met basic privacy protection standards.

Among its findings:

EPIC says informing users about when personal information is being collected and how it will be used is a ``matter of basic fairness''.

``Until clear practices are established and good policies put in place, our advice is simply this: Surfer beware'', the study concludes.

Surfers should also beware when they post messages on chat groups. Those electronic eyes can keep tabs on you there too, even years after you keyed in the message.

Pulling up a list of every message you've ever posted to the 15,000-plus chat groups on the Internet forum Usenet News is a simple matter. All someone needs is a search engine called DejaNews.

It means a marketer can create a detailed profile of you if you're a regular chatter - things like what you do for a living, what your politics and hobbies are and perhaps even whether you own a Dalmatian or a goldfish.

It also means you're vulnerable if you've ever posted something to a kinky sex newsgroup - even as a lark.

Your friends, enemies, ex-spouse, neighbours, workmates - even a potential employer - can find it.

``If somebody got hold of the information you posted to the bondage discussion group, boy oh boy could they ever do some blackmailing'', says Oscapella, a policy adviser specializing in Internet issues.

And those messages are there for posterity, he warns.

``Somebody may download them. Somebody may use them against you some day. It doesn't go out into an anonymous void there. It's very much linkable to you.''

``You've got to be careful. You've got to think of yourself standing on top of a tower in the centre of the city yelling out at the top of your lungs.''

The police are also aware of the potential of something like DejaNews to collect evidence.

``DejaNews provides the investigator with the ability to quickly profile suspected newsgroup criminals from the convenience of the desktop'', says a recent article in the RCMP newsletter, Pony Express.

The story goes on to tell officers: ``It seems remarkable that so much information about a person's Internet behaviour is publicly available to anyone with Internet access. Privacy legislation may eventually place some restrictions on this availability.''

So what's a surfer who wants privacy to do?

Don't expect legislation any time soon. The Internet - an unregulated network of computers linked mostly by telephone lines - is so big and so international that setting and enforcing privacy laws would be extremely difficult.

But user concerns may force some change. Surveys show people don't like to give personal information, don't trust companies that ask for it and enter false information as much as a quarter of the time when a Web site asks for it.

Polls have found 70 per cent of computer users named privacy as the main reason for not registering demographic data when a Web site asks for it.

Companies like Microsoft and Netscape have proposed something called the Open Profiling Standard to calm privacy concerns.

Internet users would be able to fill in a common electronic form to give information about who and where they are along with details about their hobbies and what they like to shop for. Users will then be able to decide what information to provide to a particular Web site.

Web site operators aren't supposed to give or sell the data to other businesses without consent.

The system would be checked by outside auditors. (For more details see www.firefly.net/press/OPS.QandA.html)

Critics have questioned whether Web site operators would follow the Open Profiling Standard rules.

In the United States, the Direct Marketing Association is developing a program to allow consumers to put their names on a don't-send-me-E-mail list.

But for now at least, most privacy advocates say it's largely up to individual computer users to protect themselves.

``The public just needs to be better educated about the Internet'', says David Jones, the president of the non-profit Electronic Frontier Canada.

``People say in poll after poll they care about privacy. Just exercise your freedom of choice. Say no when it matters. If you want to give up your personal information and you get some benefit from it - go for it - that's your choice.''

There are a number or privacy-protection options: Have your browser alert you when a Web site asks to send you a cookie. Some newer browsers allow a user to block cookies.

Try the cookie-disabling software that's available. Use anonymizer software while you surf. Send E-mail through an anonymous remailer.

Guarding your privacy can also mean not using a browser that does not contain adequate privacy protections.

It also means thinking twice before turning over your data.

``I don't think the burden should necessarily be placed on the government or business to hold our hands and to guard our privacy for us'', said Jones, a computer science professor at McMaster University.

``If we're given the tools we can use to protect our own privacy, that's enough. And if people are too lazy to use them, I think it means privacy didn't mean too much to them after all.''

``We get the privacy we deserve.''

Copyright © 1997 by The Toronto Star. All Rights Reserved. Reprinted with permission.